Pages

Wednesday, 13 March 2013

FTP vs FTPS vs SFTP: Difference between FTP, FTPS and SFTP - Which one to use?

FTP vs FTPS vs SFTP: Difference between FTP, FTPS and SFTP - Which one to use?

FTP, FTPS and SFTP terms are often confused because there is very minute difference among FTP, FTPS and SFTP. In simple words, FTP is a basic file transfer protocol while FTPS and SFTP provide secure file transfers. SFTP uses Secure Shell Protocol to send secure data while FTPS uses SSL to send data securely. The use of FTPS and SFTP depends upon your application nature and requirement. Lets understand the usage and difference between FTP, FTPS and SFTP.

FTP (File Transfer Protocol)

FTP is the File Transfer Protocol which defines the rules and standards for the communications for transferring the file from one host to other host over the network using the TCP/IP.

It was first proposed in RFC 114 over 40 years ago and eventually evolved into RFC 959 which is the standard that FTP clients and servers follow today.

Security Issues with FTP: FTP transfers the unsecured data over network i.e. clear username, password, files and the FTP commands. This data can be read by anyone over the network.

SFTP (Secure File Transferred Protocol)

SFTP is the replacement of the FTP for securely transferring the data using the Secure Shell Protocol.

SFTP has following features:

1. SFTP encodes the data while transferring it on the network. 2. SFTP encrypts both commands and data providing effective protection against common network security risks. 3. SFTP encrypts the session, preventing the casual detection of your username, password or anything you’ve transmitted.

FTPS (File Transfer Protocol – SSL)

FTPS is not a replacement of FTP. FTPS implements the original FTP protocol through a separately created secure tunnel. FTPS is the pure FTP over SSL/TSL (Secure Socket Layer / Transport Layer Security) which encrypts the control session and data sessions if required during the transmission over the network.

With FTPS the control session is always encrypted, but the data session might not be, because with the control session encrypted the authentication is protected and you always want this (normal ftp uses clear text). If you are not pre-encrypting the file, you want the data session encrypted so that the file is encrypted while the data is in flight. However, if you are pre-encrypting the file then you do not need to have the data connection encrypted as you do not need to add the overhead of encrypting the data connection, since the file is already encrypted.

Both FTPS and SFTP use a combination of an asymmetric algorithm (RSA, DSA), a symmetric algorithm (DES/3DES, AES, Twhofish and so on), and a key-exchange algorithm. For authentication, FTPS (or, to be more precise, SSL/TLS protocol under FTP) uses X.509 certificates, whereas SFTP (SSH protocol) uses SSH keys.

FTP vs FTPS vs SFTP (Difference between FTP, FTPS, SFTP)

FTP: Using FTP both the command and data channels are unencrypted. Any data sent over these channels can be intercepted and read.

FTPS: In order to address the security issues with FTP, a set of security extensions to the original FTP protocol were proposed in RFC 2228 that protect FTP data as it travels over the network using SSL encryption.

SFTP: SFTP is often confused with FTPS and vice-versa even though these protocols share nothing in common except their ability to securely transfer files. SFTP is actually based on the SSH (Secure Shell) protocol which is best known for it's use in providing secure access to shell accounts on remote servers.

Unlike FTPS, SFTP does not utilize separate command and data channels. Both data and commands are transferred in specially formatted packets via a single connection.

Which One To Choose? FTPS or SFTP

As usual, the answer depends on what your goals and requirements are. In general, SFTP is technologically superior to FTPS. Of course, it's a good idea to implement support for both protocols, but they are different in concepts, in supported commands, and in many other things.

It's a good idea to use FTPS when you have a server that needs to be accessed from personal devices (smartphones, PDAs, and the like) or from some specific operating systems that have FTP support but don't have SSH/SFTP clients. If you are building a custom security solution, SFTP is probably the better option.

As for the client side, the requirements are defined by the server(s) that you plan to connect to. When connecting to Internet servers, SFTP is more popular because it's supported by Linux and UNIX servers by default.

For private host-to-host transfer, you can use both SFTP and FTPS. For FTPS, you would need to search for a free FTPS client and server software or purchase a license for commercial one. For SFTP support, you can install an OpenSSH package that provides free client and server software.